FFIEC Guidance Extends to CUs Without Social Media

Even credit unions without a social media presence on sites like Facebook or Twitter must comply with the Federal Financial Institutions Examination Council’s proposed social media guidance, CSI Regulatory Compliance Customer Relationship Manager Lee Thomas said in an Aug. 28 Credit Union Times ­webinar.

“Whether you are on social media is irrelevant,” Thomas said in response to a question from the webinar audience. “You need to monitor social media activity, whether it’s direct or what others are saying about you.”

That means all credit unions must develop an oversight process for monitoring social media, a task that Thomas said could be outsourced. He added that some credit unions told him they’re having an employee print all comments they find on Facebook, Twitter, YouTube and other sites, but called that process time consuming and painful.

In January, the FFIEC set a 60-day comment period on proposed guidance that would require all financial institutions and Consumer Financial Protection Bureau-supervised non-bank entities to develop formal social media policies and a risk governance program that includes how social media contributes to strategic goals, policies and procedures, third-party due diligence, employee training, oversight, audit and compliance functions.

The FFIEC’s 60-day comment period ended in March, but the regulatory group has yet to issue final guidance. When the FFIEC released the proposed guidance, it said in a release it would not impose additional obligations on financial institutions, but rather outline steps institutions should take to manage potential risks associated with social media, as they would with any new process or product channel.

Thomas presented examples of how the guidance would integrate existing regulations into social media. For example, social media posts that promote products such as credit cards must include a link to a website that includes disclosures required by Truth in Savings regulations.

Thomas also suggested credit unions make very clear to employees what they are prohibited from posting on their personal accounts. While he stressed that he hasn’t heard of personal posts made by employees coming up in safety and soundness exams, he said the topic could potentially be addressed by regulators.

“Your employees have access to a lot of member information,” he said. “Make sure loose lips don’t sink ships.”

Employee personal accounts on social media sites such as LinkedIn and Facebook may include work colleagues and personal friends, further increasing risk for employers.

“You don’t want your employee to post something on their personal site that could be viewed as negative or slander the institution,” Thomas said.

While state or federal regulators might not target specific employee posts, Thomas said they might ask if the credit union has shared a formal social media policy with employees regarding their personal accounts.